SlideShare a Scribd company logo

r2con 2017 r2cLEMENCy

Ray Song
Ray Song

Build radare2 plugins to support the cLEMENCy architecture introduced in DEF CON 25 CTF Finals https://github.com/MaskRay/r2cLEMENCy

Software
1 of 49
Download to read offline
r2cLEMENCy Build plugins to support the cLEMENCy architecture MaskRay September 9, 2017 r2con 2017
whoami • MaskRay (宋方睿 Sòng Fāng-ruì) • https://maskray.me Twitter @HaskRay • Software Engineer, San Francisco Bay Area, California, US • Member of Tea Deliverers (CTF team) • DEF CON 21∼25 CTF Finals (21∼23 blue-lotus, 24 b1o0p, 25 Tea-Deliverers) • Sadly my RE skill has not improved much over the years… 1
Tea Deliverers • Tea Deliverers = blue-lotus + Nu1L + 110066 + Chaitin Tech • Chinese https://maskray.me/blog/2017-08-01-defcon-25-ctf 2
DEF CON 25 CTF Finals Curtain call of 5-year organizer Legitimate Business Syndicate 3
cLEMENCy • Architecture developed by Lightning • 1 ‘byte’ (nyte) = 9 bits • 32 27-bit registers + 1 flags register (Zero,Carry,Overflow,Sign+others) • ST=r29 (stack register), RA=r30 (link register), PC=r31, r28 (frame register) • middle-endian • https://github.com/legitbs/cLEMENCy • https://blog.legitbs.net/2017/07/ def-con-ctf-2017-final-scores-and-data.html 4
cLEMENCy manual 5
clemency-emu % cLEMENCy/cLEMENCy-emu/clemency-emu-debug -d 0 hello.bin > t # step R00: 0000000 R01: 0000019 R02: 0000002 R03: 0000007 R04: 0000000 R05: 0000000 R06: 0000000 R07: 0000000 R08: 0000000 R09: 0000000 R10: 0000000 R11: 0000000 R12: 0000000 R13: 0000000 R14: 0000000 R15: 0000000 R16: 0000000 R17: 0000000 R18: 0000000 R19: 0000000 R20: 0000000 R21: 0000000 R22: 0000000 R23: 0000000 R24: 0000000 R25: 0000000 R26: 0000000 R27: 0000000 R28: 0000000 ST: 0000000 RA: 0000000 PC: 0000006 FL: 0000000 0000006: 5200780 smp R00, R01, E > db 2 3 # hexdump 0000002: 040 001 000 > u 0 2 # disassemble 0000000: 2b0402000002b8 ldt R01, [R00 + 0x57, 3] 0000006: 5200780 smp R00, R01, E 6
Instructions • 2,3,4,6 nytes • AD r0, r1, r2 # ADd • ADCI r0, r1, -4 # ADd Immediate with Carry • M-suffixed instructions: adjacent registers as a pair • DVSM r3, r27, r31 # r3:r4 = (r27<<27 | r28) / (r31<<27 | r0) • LD[SWT] # LoaD 1/2/3 nytes, middle-endian • ST[SWT] # STore 1/2/3 nytes, middle-endian 7
Middle-endian Word of 2 nytes: a[1] << 9 | a[0] low 0 1 high Tri-word of 3 nytes: a[1] << 27 | a[2] << 18 | a[0] low 2 0 1 high 8
Instruction decoding Instructions consist of 3-nyte groups, with permutation in each group Opcode in high bits 2 nytes low 0 1 high 3 nytes low 2 0 1 high 4 nytes low 3 2 0 1 high 6 nytes low 5 3 4 2 0 1 high 9
Memory mappings [0000000,4000000) Main Program Memory [4000000,400001e) Clock IO [4010000,4011000) Flag IO # Capture the Flag! [5000000,5002000) Data Received [5002000,5002003) Data Received Size [5010000,5012000) Data Sent [5012000,5012003) Data Sent Size [5100000,5104000) NFO file [7ffff00,7ffff1c) Interrupt Pointers [7ffff80,8000000) Processor Identification and Features left-closed right-open intervals are convenient 10
radare2 plugins • https://github.com/MaskRay/r2cLEMENCy • io_9bit.so: IO • core_clcy.so: custom commands • bin_clcy.so: loader • asm_clcy.so: (dis)assembler • anal_clcy.so: instruction semantics and emulation • parse_clcy.so: C-like pseudo disassembler and asm.varsub • More plugin types in core/libs.c:r_core_loadlibs_init • language, filesystem, debugger, debugger breakpoint, egg 11
1 nyte = 9 bits Expand 1 nyte to 16-bit unsigned short 12
r_io_plugin_clcy RIOPlugin r_io_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy io", .license = "LGPL3", .check = _check, .close = _close, .extend = _extend, .lseek = _lseek, .open = _open, .read = _read, .write = _write, }; 13
io_clcy • .open: file → 9-bit units → 16-bit units (2 bytes) • len = len_bytes*8/9; buf = malloc(len*2); • One address unit has 2 bytes io->addrbytes = 2; // RIO::addrbytes • len argument in read/write still refers to bytes, not 16-bit • Make sure buffers used by read()/write() are aware of RIO::addrbytes • .close: 16-bit → 9-bit → file 14
RIO::addrbytes // A buffer of length RCore::blocksize (default: 256) contains // blocksize/addrbytes (256/2=128) address units // Before (every address unit is 1 byte): while (idx < len) { r_anal_op (anal, &op, addr + idx, buf + idx, len - idx); // After (buf access is aware of RIO::addrbytes): while (addrbytes * idx < len) { r_anal_op (anal, &op, addr + idx, buf + addrbytes * idx, len - addrbytes * idx); 15
Call path of a user command • r_core_prompt_exec • r_core_cmd • r_core_subst(;,repeat,comment) • r_core_subst_i • r_core_subst_i(@,backquotes,double quotes,grep,pipe,redirection) • r_cmd_call • RCorePlugin::call / builtin commands (RCore.cmds.cmd['p']) 16
r_core_plugin_clcy RCorePlugin r_core_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy core", .license = "LGPL3", .call = r_cmd_clcy, }; static int r_cmd_clcy(struct r_core_t *core, const char *input) { if (input[0] == '_') { ... case 'x': hexdump_9byte (core, input, l); break; // "_px" case 'w': hexdump_18word (core, input, l); break; // "_pw" case 't': hexdump_27tri (core, input, l); break; // "_pt" ... return true; } return false; } 17
bin_clcy • Create sections according to cLEMENCy memory mappings • .add=true, .name="Main", .paddr=0, .size=sz, • .vsize=0x4000000, .srwx=R_IO_READ|R_IO_EXEC • Simple IO Layer creates two RIOMap • file map [0, size) + null map [size, vsize) 18
om [Main_Program_Memory:0x00000000]> om 10 fd: 3 +0x00000000 0x00000000 - 0x00006b67 -r-x fmap.Main_Program_Memory 9 fd: 12 +0x00000000 0x00006b68 - 0x03ffffff -r-x mmap.Main_Program_Memory 8 fd: 11 +0x00000000 0x00000000 - 0x0000001d -rw- mmap.Clock_IO 7 fd: 10 +0x00000000 0x04010000 - 0x04010fff -r-- mmap.Flag_IO 6 fd: 9 +0x00000000 0x05000000 - 0x05001fff -rw- mmap.Data_Received 5 fd: 8 +0x00000000 0x05002000 - 0x05002001 -rw- mmap.Data_Received_Size 4 fd: 7 +0x00000000 0x05010000 - 0x05011fff -rw- mmap.Data_Sent 3 fd: 6 +0x00000000 0x05012000 - 0x05012001 -rw- mmap.Data_Sent_Size #2 fd: 5 +0x00000000 0x05100000 - 0x05103fff -r-x mmap.NFO 1 fd: 4 +0x00000000 0x07ffff00 - 0x07ffff1b -rw- mmap.Interrupt_Pointers Main Program Memory has both file map (fmap.) and null map (mmap.) 19
r_bin_plugin_clcy RBinPlugin r_bin_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy bin plugin", .license = "LGPL3", .baddr = _baddr, .check_bytes = _check_bytes, .create = _create, .destroy = _destroy, .info = _info, .load = _load, .minstrlen = 0, .patch_relocs = _patch_relocs, .sections = _sections, }; 20
bin_clcy • How to initialize NFO? 21
bin_clcy • How to initialize NFO? • .patch_relocs 21
bin_clcy • How to initialize NFO? • .patch_relocs • Patch relocations in ELF/bFLT/CGC (Cyber Grand Challenge), especially useful for ET_REL 21
bin_clcy • How to initialize NFO? • .patch_relocs • Patch relocations in ELF/bFLT/CGC (Cyber Grand Challenge), especially useful for ET_REL • Abuse it: create and initialize a malloc:// map 21
bin_clcy _patch_relocs static RList *_patch_relocs(RBin *b) { ... RIOSection sec = {.name = "NFO", .size = n_buf * 2, .vsize = 0x4000, .flags = R_IO_READ | R_IO_EXEC}; (void)r_io_create_mem_map (b->iob.io, &sec, NFO_VADDR, false); (void)r_io_write_at (b->iob.io, NFO_VADDR, (const ut8 *)buf, len * 2); ... } 22
asm_clcy • IDA Pro processor in the game, processor_t.{ana,out} • disassembler • assembler • https://github.com/pwning/defcon25-public by Plaid Parliament of Pwning • X macros 23
r_asm_plugin_clcy static RAsmPlugin r_asm_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy asm", .arch = "clcy", .license = "LGPL3", .bits = 64, // in accordance with r_anal_plugin_clcy .disassemble = _disassemble, .assemble = _assemble, }; 24
asm_clcy struct inst_t typedef struct { ut64 code, opcode; int id, size; ut32 pc, funct; st32 imm; ut16 cc, reg_count; ut8 adj_rb, arith_signed, is_imm, mem_flags, rA, rB, rC, rw, uf; } inst_t; 25
asm_clcy disassembler // Group instructions by forms do { FORMAT( R ) // assume this is an R-form instruction // If funct == 0b0000000 && arith_signed == 0 && is_imm == 0 // This is ad --> break INS_3( ad, 0b0000000, funct, 0, arith_signed, 0, is_imm, 0 ) // Try adc INS_3( adc, 0b0100000, funct, 0, arith_signed, 0, is_imm, 0 ) // Try others ... FORMAT( R_IMM ) // assume this is an R_IMM-form instruction INS_2( adci, 0b0100000, arith_signed, 0, is_imm, 1 ) ... } while (0); #define FORMAT(fmt) ok = decode_##fmt ... #define INS_1(x,opc,f1,v1) if (inst.opcode==opc && inst.f1==v1) ... #define INS_2(x,opc,f1,v1,f2,v2) if (inst.opcode==opc && inst.f1==v1 && inst.f2==v2) ... 26
pdf Descriptions: asm/d/clcy.sdb 27
asm_clcy assembler • "wa ldt r1, [r0+0x57, 7]; ad. r0,r1,r1" • Recursive descent parser: parse_{imm,rA,rB,rC,uf,comma,space,…} • Reuse X macros in disassembler Suggest using a recursive descent parser in command parsing 28
asm_clcy assemble_BIN_R_IMM #define FIELD(name, offset, count) | ((ut64)inst->name << bit_size-count-offset) #define FORM_BIN_R_IMM FIELD(opcode, 0, 8) FIELD(rA, 8, 5) FIELD(imm, 13, 14) static int assemble_BIN_R_IMM(inst_t *inst, const char **src) { int bit_size = 27; if (parse_space (inst, src)) return 1; // parse error if (parse_rA (inst, src)) return 1; if (parse_comma (inst, src)) return -1; if (parse_imm_st (inst, src, 14)) return 2; inst->imm &= (1 << 14) - 1; if (parse_end (src)) return 2; inst->size = 3; // 3 nytes inst->code = 0 FORM_BIN_R_IMM; // assemble all components return 0; } 29
wa 30
anal_clcy • IDA Pro processor in the game, processor_t.emu • Differentiate JMP/CALL/MOV/PUSH/RET/SWI/…, whether COND,IND,MEM,REG,… are used • R_ANAL_OP_TYPE_{JMP,COND,RCALL,RJMP,CRET,…} • include/r_anal.h anal/p/anal_gb.c • Stack pointer delta (arguments, local variables), add_stkpnt • ESIL translator 31
ESIL • Evaluable Strings Intermedate Language • anal/esil.c • Stack-oriented, Forth, DWARF expressions • mh r0, 0xffdf: 0x3ff,r0,&,10,65503,<<,|,r0,= • Decent support for 32/64 bits, needing work for 8/16 bits • What if 27-bit/54-bit (register pair) + middle-endian? 32
anal_clcy ESIL • Just set RAnal::bits to 64 and define custom commands (r_anal_esil_set_op) • binop: another argument for variants (carry/multi reg/imm/ signedness/update flags) + instruction family (add/sub/…) • addcm. r3,r2,r0 : "r0,r2,r3,'.cm+,binop" • '.cm+ • ' no special, arbitrary character borrowed from Lisp • . update flags • c with carry • + add 33
clcy_custom_binop r_anal_esil_set_op (esil, "binop", clcy_custom_binop); static int clcy_custom_binop(RAnalEsil *esil) { bool carry = false, uf = false, mf; char *op = r_anal_esil_pop (esil), *op1 = op + 1, *rA = r_anal_esil_pop (esil), *rB = r_anal_esil_pop (esil), *rC = r_anal_esil_pop (esil); ... if (*op1 == '.') uf = true, op1++; // .: update flags if (*op1 == 'c') carry = true, op1++; // c: carry if (*op1 == 'm') ... // m: multi reg switch (*op1) { case '+': a = b + c; if (carry && read_fl (esil) & 2) a++; ... case '-': ... } if (uf) { /* update Carry/Overflow/Sign/Zero flags */ } ... } 34
Local variables/arguments detection • Analysis engine detects with patterns like 0x..,st,+ • We have custom load/store commands to emulate LD[STW], ST[STW] • No-op 0x34,st,+,POP to appease analysis engine 35
RAnalPlugin static RAnalPlugin r_anal_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy analysis", .license = "LGPL3", .arch = "clcy", .bits = 64, // we use 64-bit integers in esil to emulate 27-bit and 54-bit .esil_init = esil_clcy_init, .esil_fini = esil_clcy_fini, .esil_intr = esil_clcy_intr, .esil = true, .op = &clcy_op, .set_reg_profile = set_reg_profile, }; 36
VV 37
parse_clcy • Bad name https://github.com/radare/radare2/issues/4317 • How to substitue variables for BP/SP offsets: asm.varsub • How to generate C-like pseudo disassembly: pdc 38
r_parse_plugin_clcy static int _parse(RParse *p, const char *src, char *dst); static bool _varsub(RParse *p, RAnalFunction *f, ut64 addr, int oplen, char *src, char *dst, int len); RParsePlugin r_parse_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy", .parse = _parse, .varsub = _varsub, }; 39
parse_clcy _parse static int _parse(RParse *p, const char *src, char *dst) { RCore *core = p->user; RAsmOp op; int len; // `assemble` could be saved if we had access to metadata of previous // call to `assemble` if ((len = assemble (core->assembler->pc, &op, src)) > 0 && disassemble (core->assembler->pc, &op, op.buf, len, true) > 0) { strcpy (dst, op.buf_asm); } else { strcpy (dst, src); } return true; } 40
pdc 41
parse_clcy _varsub static bool _varsub(RParse *p, RAnalFunction *f, ut64 addr, int oplen, char *src, char *dst, int len) { ... // Stack register variable st+%#x r_list_foreach (bpargs, iter, var) { if (var->delta >= 0) { sub = r_str_newf ("[st+%#x", var->delta); } else { sub = r_str_newf ("[st-%#x", -var->delta); } // replace sub with var->name ... } 42
asm.varsub See local_* variables. 0 offset is not handled currently 43
debug_clcy Left as exercise. 44
https://github.com/MaskRay/r2cLEMENCy Questions? 45

Recommended

Getting Started Cpp
Getting Started CppGetting Started Cpp
Getting Started CppLong Cao
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
Lisp как универсальная обертка
Lisp как универсальная оберткаLisp как универсальная обертка
Lisp как универсальная оберткаVsevolod Dyomkin
 
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree艾鍗科技
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataAnne Nicolas
 
Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Fernando Moreira
 
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchInterpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchNational Cheng Kung University
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersMarina Kolpakova
 

Recommended

Getting Started Cpp
Getting Started CppGetting Started Cpp
Getting Started CppLong Cao
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
Lisp как универсальная обертка
Lisp как универсальная оберткаLisp как универсальная обертка
Lisp как универсальная оберткаVsevolod Dyomkin
 
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree艾鍗科技
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataAnne Nicolas
 
Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Go Native : Squeeze the juice out of your 64-bit processor using C++
Go Native : Squeeze the juice out of your 64-bit processor using C++Fernando Moreira
 
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchInterpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchNational Cheng Kung University
 
Code GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersCode GPU with CUDA - Identifying performance limiters
Code GPU with CUDA - Identifying performance limitersMarina Kolpakova
 
System Calls
System CallsSystem Calls
System CallsDavid Evans
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Memory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelMemory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelDavidlohr Bueso
 
Range reader/writer locking for the Linux kernel
Range reader/writer locking for the Linux kernelRange reader/writer locking for the Linux kernel
Range reader/writer locking for the Linux kernelDavidlohr Bueso
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
GoでKVSを書けるのか
GoでKVSを書けるのかGoでKVSを書けるのか
GoでKVSを書けるのかMoriyoshi Koizumi
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Hsien-Hsin Sean Lee, Ph.D.
 
BBS crawler for Taiwan
BBS crawler for TaiwanBBS crawler for Taiwan
BBS crawler for TaiwanBuganini Chiu
 
Design and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationDesign and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationKito Cheng
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for DummiesVirtual Machine Constructions for Dummies
Virtual Machine Constructions for DummiesNational Cheng Kung University
 
Introduction to Data Oriented Design
Introduction to Data Oriented DesignIntroduction to Data Oriented Design
Introduction to Data Oriented DesignElectronic Arts / DICE
 
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...akaptur
 
Code gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionCode gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionMarina Kolpakova
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...The Linux Foundation
 
Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Rajivarnan (Rajiv)
 
C++の話(本当にあった怖い話)
C++の話(本当にあった怖い話)C++の話(本当にあった怖い話)
C++の話(本当にあった怖い話)Yuki Tamura
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and acceleratingPeter Haase
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Replication and Replica Sets
Replication and Replica SetsReplication and Replica Sets
Replication and Replica SetsMongoDB
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUsAlcides Fonseca
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 

More Related Content

What's hot

深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言Simen Li
 
Memory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelMemory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelDavidlohr Bueso
 
Range reader/writer locking for the Linux kernel
Range reader/writer locking for the Linux kernelRange reader/writer locking for the Linux kernel
Range reader/writer locking for the Linux kernelDavidlohr Bueso
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Hsien-Hsin Sean Lee, Ph.D.
 
BBS crawler for Taiwan
BBS crawler for TaiwanBBS crawler for Taiwan
BBS crawler for TaiwanBuganini Chiu
 
Design and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationDesign and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationKito Cheng
 
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...akaptur
 
Code gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionCode gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionMarina Kolpakova
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...The Linux Foundation
 
Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Rajivarnan (Rajiv)
 
C++の話(本当にあった怖い話)
C++の話(本当にあった怖い話)C++の話(本当にあった怖い話)
C++の話(本当にあった怖い話)Yuki Tamura
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and acceleratingPeter Haase
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Replication and Replica Sets
Replication and Replica SetsReplication and Replica Sets
Replication and Replica SetsMongoDB
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 

What's hot (20)

System Calls
System CallsSystem Calls
System Calls
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
Memory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelMemory Barriers in the Linux Kernel
Memory Barriers in the Linux Kernel
 
Range reader/writer locking for the Linux kernel
Range reader/writer locking for the Linux kernelRange reader/writer locking for the Linux kernel
Range reader/writer locking for the Linux kernel
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit
 
GoでKVSを書けるのか
GoでKVSを書けるのかGoでKVSを書けるのか
GoでKVSを書けるのか
 
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
Lec10 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Memory part2
 
BBS crawler for Taiwan
BBS crawler for TaiwanBBS crawler for Taiwan
BBS crawler for Taiwan
 
Design and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationDesign and Implementation of GCC Register Allocation
Design and Implementation of GCC Register Allocation
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for DummiesVirtual Machine Constructions for Dummies
Virtual Machine Constructions for Dummies
 
Introduction to Data Oriented Design
Introduction to Data Oriented DesignIntroduction to Data Oriented Design
Introduction to Data Oriented Design
 
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
Allison Kaptur: Bytes in the Machine: Inside the CPython interpreter, PyGotha...
 
Code gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introductionCode gpu with cuda - CUDA introduction
Code gpu with cuda - CUDA introduction
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
 
Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235
 
C++の話(本当にあった怖い話)
C++の話(本当にあった怖い話)C++の話(本当にあった怖い話)
C++の話(本当にあった怖い話)
 
Mod03 linking and accelerating
Mod03 linking and acceleratingMod03 linking and accelerating
Mod03 linking and accelerating
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)
 
Replication and Replica Sets
Replication and Replica SetsReplication and Replica Sets
Replication and Replica Sets
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and C
 

Similar to r2con 2017 r2cLEMENCy

Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxCA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxtrupeace
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...Hsien-Hsin Sean Lee, Ph.D.
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdfKhaledIbrahim10923
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)bolovv
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
WCTF 2018 binja Editorial
WCTF 2018 binja EditorialWCTF 2018 binja Editorial
WCTF 2018 binja EditorialCharo_IT
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerMarina Kolpakova
 
May2010 hex-core-opt
May2010 hex-core-optMay2010 hex-core-opt
May2010 hex-core-optJeff Larkin
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeSasha Goldshtein
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centrejatin batra
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMDWei-Ta Wang
 

Similar to r2con 2017 r2cLEMENCy (20)

Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxCA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
Lec18 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- In...
 
0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf0100_Embeded_C_CompilationProcess.pdf
0100_Embeded_C_CompilationProcess.pdf
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
 
Chapter Eight(3)
Chapter Eight(3)Chapter Eight(3)
Chapter Eight(3)
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
WCTF 2018 binja Editorial
WCTF 2018 binja EditorialWCTF 2018 binja Editorial
WCTF 2018 binja Editorial
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
May2010 hex-core-opt
May2010 hex-core-optMay2010 hex-core-opt
May2010 hex-core-opt
 
Boosting Developer Productivity with Clang
Boosting Developer Productivity with ClangBoosting Developer Productivity with Clang
Boosting Developer Productivity with Clang
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centre
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMD
 

More from Ray Song

C++ exception handling
C++ exception handlingC++ exception handling
C++ exception handlingRay Song
 
RISC-V Linker Relaxation and LLD
RISC-V Linker Relaxation and LLDRISC-V Linker Relaxation and LLD
RISC-V Linker Relaxation and LLDRay Song
 
gcov和clang中的实现
gcov和clang中的实现gcov和clang中的实现
gcov和clang中的实现Ray Song
 
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Ray Song
 
OI算法竞赛中树形数据结构
OI算法竞赛中树形数据结构OI算法竞赛中树形数据结构
OI算法竞赛中树形数据结构Ray Song
 
Implementing a Simple Interpreter
Implementing a Simple InterpreterImplementing a Simple Interpreter
Implementing a Simple InterpreterRay Song
 
2011年信息学竞赛冬令营《星际探险》
2011年信息学竞赛冬令营《星际探险》2011年信息学竞赛冬令营《星际探险》
2011年信息学竞赛冬令营《星际探险》Ray Song
 
8门编程语言的设计思考
8门编程语言的设计思考8门编程语言的设计思考
8门编程语言的设计思考Ray Song
 
Introduction to makefile
Introduction to makefileIntroduction to makefile
Introduction to makefileRay Song
 

More from Ray Song (9)

C++ exception handling
C++ exception handlingC++ exception handling
C++ exception handling
 
RISC-V Linker Relaxation and LLD
RISC-V Linker Relaxation and LLDRISC-V Linker Relaxation and LLD
RISC-V Linker Relaxation and LLD
 
gcov和clang中的实现
gcov和clang中的实现gcov和clang中的实现
gcov和clang中的实现
 
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
 
OI算法竞赛中树形数据结构
OI算法竞赛中树形数据结构OI算法竞赛中树形数据结构
OI算法竞赛中树形数据结构
 
Implementing a Simple Interpreter
Implementing a Simple InterpreterImplementing a Simple Interpreter
Implementing a Simple Interpreter
 
2011年信息学竞赛冬令营《星际探险》
2011年信息学竞赛冬令营《星际探险》2011年信息学竞赛冬令营《星际探险》
2011年信息学竞赛冬令营《星际探险》
 
8门编程语言的设计思考
8门编程语言的设计思考8门编程语言的设计思考
8门编程语言的设计思考
 
Introduction to makefile
Introduction to makefileIntroduction to makefile
Introduction to makefile
 

Recently uploaded

Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 

Recently uploaded (20)

Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 

r2con 2017 r2cLEMENCy

  • 1. r2cLEMENCy Build plugins to support the cLEMENCy architecture MaskRay September 9, 2017 r2con 2017
  • 2. whoami • MaskRay (宋方睿 Sòng Fāng-ruì) • https://maskray.me Twitter @HaskRay • Software Engineer, San Francisco Bay Area, California, US • Member of Tea Deliverers (CTF team) • DEF CON 21∼25 CTF Finals (21∼23 blue-lotus, 24 b1o0p, 25 Tea-Deliverers) • Sadly my RE skill has not improved much over the years… 1
  • 3. Tea Deliverers • Tea Deliverers = blue-lotus + Nu1L + 110066 + Chaitin Tech • Chinese https://maskray.me/blog/2017-08-01-defcon-25-ctf 2
  • 4. DEF CON 25 CTF Finals Curtain call of 5-year organizer Legitimate Business Syndicate 3
  • 5. cLEMENCy • Architecture developed by Lightning • 1 ‘byte’ (nyte) = 9 bits • 32 27-bit registers + 1 flags register (Zero,Carry,Overflow,Sign+others) • ST=r29 (stack register), RA=r30 (link register), PC=r31, r28 (frame register) • middle-endian • https://github.com/legitbs/cLEMENCy • https://blog.legitbs.net/2017/07/ def-con-ctf-2017-final-scores-and-data.html 4
  • 7. clemency-emu % cLEMENCy/cLEMENCy-emu/clemency-emu-debug -d 0 hello.bin > t # step R00: 0000000 R01: 0000019 R02: 0000002 R03: 0000007 R04: 0000000 R05: 0000000 R06: 0000000 R07: 0000000 R08: 0000000 R09: 0000000 R10: 0000000 R11: 0000000 R12: 0000000 R13: 0000000 R14: 0000000 R15: 0000000 R16: 0000000 R17: 0000000 R18: 0000000 R19: 0000000 R20: 0000000 R21: 0000000 R22: 0000000 R23: 0000000 R24: 0000000 R25: 0000000 R26: 0000000 R27: 0000000 R28: 0000000 ST: 0000000 RA: 0000000 PC: 0000006 FL: 0000000 0000006: 5200780 smp R00, R01, E > db 2 3 # hexdump 0000002: 040 001 000 > u 0 2 # disassemble 0000000: 2b0402000002b8 ldt R01, [R00 + 0x57, 3] 0000006: 5200780 smp R00, R01, E 6
  • 8. Instructions • 2,3,4,6 nytes • AD r0, r1, r2 # ADd • ADCI r0, r1, -4 # ADd Immediate with Carry • M-suffixed instructions: adjacent registers as a pair • DVSM r3, r27, r31 # r3:r4 = (r27<<27 | r28) / (r31<<27 | r0) • LD[SWT] # LoaD 1/2/3 nytes, middle-endian • ST[SWT] # STore 1/2/3 nytes, middle-endian 7
  • 9. Middle-endian Word of 2 nytes: a[1] << 9 | a[0] low 0 1 high Tri-word of 3 nytes: a[1] << 27 | a[2] << 18 | a[0] low 2 0 1 high 8
  • 10. Instruction decoding Instructions consist of 3-nyte groups, with permutation in each group Opcode in high bits 2 nytes low 0 1 high 3 nytes low 2 0 1 high 4 nytes low 3 2 0 1 high 6 nytes low 5 3 4 2 0 1 high 9
  • 11. Memory mappings [0000000,4000000) Main Program Memory [4000000,400001e) Clock IO [4010000,4011000) Flag IO # Capture the Flag! [5000000,5002000) Data Received [5002000,5002003) Data Received Size [5010000,5012000) Data Sent [5012000,5012003) Data Sent Size [5100000,5104000) NFO file [7ffff00,7ffff1c) Interrupt Pointers [7ffff80,8000000) Processor Identification and Features left-closed right-open intervals are convenient 10
  • 12. radare2 plugins • https://github.com/MaskRay/r2cLEMENCy • io_9bit.so: IO • core_clcy.so: custom commands • bin_clcy.so: loader • asm_clcy.so: (dis)assembler • anal_clcy.so: instruction semantics and emulation • parse_clcy.so: C-like pseudo disassembler and asm.varsub • More plugin types in core/libs.c:r_core_loadlibs_init • language, filesystem, debugger, debugger breakpoint, egg 11
  • 13. 1 nyte = 9 bits Expand 1 nyte to 16-bit unsigned short 12
  • 14. r_io_plugin_clcy RIOPlugin r_io_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy io", .license = "LGPL3", .check = _check, .close = _close, .extend = _extend, .lseek = _lseek, .open = _open, .read = _read, .write = _write, }; 13
  • 15. io_clcy • .open: file → 9-bit units → 16-bit units (2 bytes) • len = len_bytes*8/9; buf = malloc(len*2); • One address unit has 2 bytes io->addrbytes = 2; // RIO::addrbytes • len argument in read/write still refers to bytes, not 16-bit • Make sure buffers used by read()/write() are aware of RIO::addrbytes • .close: 16-bit → 9-bit → file 14
  • 16. RIO::addrbytes // A buffer of length RCore::blocksize (default: 256) contains // blocksize/addrbytes (256/2=128) address units // Before (every address unit is 1 byte): while (idx < len) { r_anal_op (anal, &op, addr + idx, buf + idx, len - idx); // After (buf access is aware of RIO::addrbytes): while (addrbytes * idx < len) { r_anal_op (anal, &op, addr + idx, buf + addrbytes * idx, len - addrbytes * idx); 15
  • 17. Call path of a user command • r_core_prompt_exec • r_core_cmd • r_core_subst(;,repeat,comment) • r_core_subst_i • r_core_subst_i(@,backquotes,double quotes,grep,pipe,redirection) • r_cmd_call • RCorePlugin::call / builtin commands (RCore.cmds.cmd['p']) 16
  • 18. r_core_plugin_clcy RCorePlugin r_core_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy core", .license = "LGPL3", .call = r_cmd_clcy, }; static int r_cmd_clcy(struct r_core_t *core, const char *input) { if (input[0] == '_') { ... case 'x': hexdump_9byte (core, input, l); break; // "_px" case 'w': hexdump_18word (core, input, l); break; // "_pw" case 't': hexdump_27tri (core, input, l); break; // "_pt" ... return true; } return false; } 17
  • 19. bin_clcy • Create sections according to cLEMENCy memory mappings • .add=true, .name="Main", .paddr=0, .size=sz, • .vsize=0x4000000, .srwx=R_IO_READ|R_IO_EXEC • Simple IO Layer creates two RIOMap • file map [0, size) + null map [size, vsize) 18
  • 20. om [Main_Program_Memory:0x00000000]> om 10 fd: 3 +0x00000000 0x00000000 - 0x00006b67 -r-x fmap.Main_Program_Memory 9 fd: 12 +0x00000000 0x00006b68 - 0x03ffffff -r-x mmap.Main_Program_Memory 8 fd: 11 +0x00000000 0x00000000 - 0x0000001d -rw- mmap.Clock_IO 7 fd: 10 +0x00000000 0x04010000 - 0x04010fff -r-- mmap.Flag_IO 6 fd: 9 +0x00000000 0x05000000 - 0x05001fff -rw- mmap.Data_Received 5 fd: 8 +0x00000000 0x05002000 - 0x05002001 -rw- mmap.Data_Received_Size 4 fd: 7 +0x00000000 0x05010000 - 0x05011fff -rw- mmap.Data_Sent 3 fd: 6 +0x00000000 0x05012000 - 0x05012001 -rw- mmap.Data_Sent_Size #2 fd: 5 +0x00000000 0x05100000 - 0x05103fff -r-x mmap.NFO 1 fd: 4 +0x00000000 0x07ffff00 - 0x07ffff1b -rw- mmap.Interrupt_Pointers Main Program Memory has both file map (fmap.) and null map (mmap.) 19
  • 21. r_bin_plugin_clcy RBinPlugin r_bin_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy bin plugin", .license = "LGPL3", .baddr = _baddr, .check_bytes = _check_bytes, .create = _create, .destroy = _destroy, .info = _info, .load = _load, .minstrlen = 0, .patch_relocs = _patch_relocs, .sections = _sections, }; 20
  • 22. bin_clcy • How to initialize NFO? 21
  • 23. bin_clcy • How to initialize NFO? • .patch_relocs 21
  • 24. bin_clcy • How to initialize NFO? • .patch_relocs • Patch relocations in ELF/bFLT/CGC (Cyber Grand Challenge), especially useful for ET_REL 21
  • 25. bin_clcy • How to initialize NFO? • .patch_relocs • Patch relocations in ELF/bFLT/CGC (Cyber Grand Challenge), especially useful for ET_REL • Abuse it: create and initialize a malloc:// map 21
  • 26. bin_clcy _patch_relocs static RList *_patch_relocs(RBin *b) { ... RIOSection sec = {.name = "NFO", .size = n_buf * 2, .vsize = 0x4000, .flags = R_IO_READ | R_IO_EXEC}; (void)r_io_create_mem_map (b->iob.io, &sec, NFO_VADDR, false); (void)r_io_write_at (b->iob.io, NFO_VADDR, (const ut8 *)buf, len * 2); ... } 22
  • 27. asm_clcy • IDA Pro processor in the game, processor_t.{ana,out} • disassembler • assembler • https://github.com/pwning/defcon25-public by Plaid Parliament of Pwning • X macros 23
  • 28. r_asm_plugin_clcy static RAsmPlugin r_asm_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy asm", .arch = "clcy", .license = "LGPL3", .bits = 64, // in accordance with r_anal_plugin_clcy .disassemble = _disassemble, .assemble = _assemble, }; 24
  • 29. asm_clcy struct inst_t typedef struct { ut64 code, opcode; int id, size; ut32 pc, funct; st32 imm; ut16 cc, reg_count; ut8 adj_rb, arith_signed, is_imm, mem_flags, rA, rB, rC, rw, uf; } inst_t; 25
  • 30. asm_clcy disassembler // Group instructions by forms do { FORMAT( R ) // assume this is an R-form instruction // If funct == 0b0000000 && arith_signed == 0 && is_imm == 0 // This is ad --> break INS_3( ad, 0b0000000, funct, 0, arith_signed, 0, is_imm, 0 ) // Try adc INS_3( adc, 0b0100000, funct, 0, arith_signed, 0, is_imm, 0 ) // Try others ... FORMAT( R_IMM ) // assume this is an R_IMM-form instruction INS_2( adci, 0b0100000, arith_signed, 0, is_imm, 1 ) ... } while (0); #define FORMAT(fmt) ok = decode_##fmt ... #define INS_1(x,opc,f1,v1) if (inst.opcode==opc && inst.f1==v1) ... #define INS_2(x,opc,f1,v1,f2,v2) if (inst.opcode==opc && inst.f1==v1 && inst.f2==v2) ... 26
  • 32. asm_clcy assembler • "wa ldt r1, [r0+0x57, 7]; ad. r0,r1,r1" • Recursive descent parser: parse_{imm,rA,rB,rC,uf,comma,space,…} • Reuse X macros in disassembler Suggest using a recursive descent parser in command parsing 28
  • 33. asm_clcy assemble_BIN_R_IMM #define FIELD(name, offset, count) | ((ut64)inst->name << bit_size-count-offset) #define FORM_BIN_R_IMM FIELD(opcode, 0, 8) FIELD(rA, 8, 5) FIELD(imm, 13, 14) static int assemble_BIN_R_IMM(inst_t *inst, const char **src) { int bit_size = 27; if (parse_space (inst, src)) return 1; // parse error if (parse_rA (inst, src)) return 1; if (parse_comma (inst, src)) return -1; if (parse_imm_st (inst, src, 14)) return 2; inst->imm &= (1 << 14) - 1; if (parse_end (src)) return 2; inst->size = 3; // 3 nytes inst->code = 0 FORM_BIN_R_IMM; // assemble all components return 0; } 29
  • 34. wa 30
  • 35. anal_clcy • IDA Pro processor in the game, processor_t.emu • Differentiate JMP/CALL/MOV/PUSH/RET/SWI/…, whether COND,IND,MEM,REG,… are used • R_ANAL_OP_TYPE_{JMP,COND,RCALL,RJMP,CRET,…} • include/r_anal.h anal/p/anal_gb.c • Stack pointer delta (arguments, local variables), add_stkpnt • ESIL translator 31
  • 36. ESIL • Evaluable Strings Intermedate Language • anal/esil.c • Stack-oriented, Forth, DWARF expressions • mh r0, 0xffdf: 0x3ff,r0,&,10,65503,<<,|,r0,= • Decent support for 32/64 bits, needing work for 8/16 bits • What if 27-bit/54-bit (register pair) + middle-endian? 32
  • 37. anal_clcy ESIL • Just set RAnal::bits to 64 and define custom commands (r_anal_esil_set_op) • binop: another argument for variants (carry/multi reg/imm/ signedness/update flags) + instruction family (add/sub/…) • addcm. r3,r2,r0 : "r0,r2,r3,'.cm+,binop" • '.cm+ • ' no special, arbitrary character borrowed from Lisp • . update flags • c with carry • + add 33
  • 38. clcy_custom_binop r_anal_esil_set_op (esil, "binop", clcy_custom_binop); static int clcy_custom_binop(RAnalEsil *esil) { bool carry = false, uf = false, mf; char *op = r_anal_esil_pop (esil), *op1 = op + 1, *rA = r_anal_esil_pop (esil), *rB = r_anal_esil_pop (esil), *rC = r_anal_esil_pop (esil); ... if (*op1 == '.') uf = true, op1++; // .: update flags if (*op1 == 'c') carry = true, op1++; // c: carry if (*op1 == 'm') ... // m: multi reg switch (*op1) { case '+': a = b + c; if (carry && read_fl (esil) & 2) a++; ... case '-': ... } if (uf) { /* update Carry/Overflow/Sign/Zero flags */ } ... } 34
  • 39. Local variables/arguments detection • Analysis engine detects with patterns like 0x..,st,+ • We have custom load/store commands to emulate LD[STW], ST[STW] • No-op 0x34,st,+,POP to appease analysis engine 35
  • 40. RAnalPlugin static RAnalPlugin r_anal_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy analysis", .license = "LGPL3", .arch = "clcy", .bits = 64, // we use 64-bit integers in esil to emulate 27-bit and 54-bit .esil_init = esil_clcy_init, .esil_fini = esil_clcy_fini, .esil_intr = esil_clcy_intr, .esil = true, .op = &clcy_op, .set_reg_profile = set_reg_profile, }; 36
  • 41. VV 37
  • 42. parse_clcy • Bad name https://github.com/radare/radare2/issues/4317 • How to substitue variables for BP/SP offsets: asm.varsub • How to generate C-like pseudo disassembly: pdc 38
  • 43. r_parse_plugin_clcy static int _parse(RParse *p, const char *src, char *dst); static bool _varsub(RParse *p, RAnalFunction *f, ut64 addr, int oplen, char *src, char *dst, int len); RParsePlugin r_parse_plugin_clcy = { .name = "clcy", .desc = "cLEMENCy", .parse = _parse, .varsub = _varsub, }; 39
  • 44. parse_clcy _parse static int _parse(RParse *p, const char *src, char *dst) { RCore *core = p->user; RAsmOp op; int len; // `assemble` could be saved if we had access to metadata of previous // call to `assemble` if ((len = assemble (core->assembler->pc, &op, src)) > 0 && disassemble (core->assembler->pc, &op, op.buf, len, true) > 0) { strcpy (dst, op.buf_asm); } else { strcpy (dst, src); } return true; } 40
  • 46. parse_clcy _varsub static bool _varsub(RParse *p, RAnalFunction *f, ut64 addr, int oplen, char *src, char *dst, int len) { ... // Stack register variable st+%#x r_list_foreach (bpargs, iter, var) { if (var->delta >= 0) { sub = r_str_newf ("[st+%#x", var->delta); } else { sub = r_str_newf ("[st-%#x", -var->delta); } // replace sub with var->name ... } 42
  • 47. asm.varsub See local_* variables. 0 offset is not handled currently 43